Splunk Cloud Platform

Splunk Cloud Platform Service Description

Splunk Cloud Platform Service Details

Splunk Cloud Platform introduction

Welcome to the Splunk Cloud Platform service description.

Splunk Cloud Platform delivers the benefits of award-winning Splunk® Enterprise as a cloud-based service. Using Splunk Cloud Platform, you gain the functionality of Splunk Enterprise for collecting, searching, monitoring, reporting, and analyzing all of your real-time and historical machine data using a cloud service that is centrally and uniformly delivered by Splunk to its large number of cloud customers, from Fortune 100 companies to small and medium-size businesses. Unless otherwise noted in Release Notes, Splunk manages and updates the Splunk Cloud Platform service uniformly, so all customers of Splunk Cloud Platform receive the most current features and functionality.

Splunk Cloud Platform provides a complete suite of self-service capabilities for you to ingest data, customize data retention settings, customize user roles and centralized authentication, configure searches and dashboards, update your IP Allow List and perform app management. In addition, you can use the Cloud Monitoring Console (CMC) to holistically monitor the data consumption and health of your Splunk Cloud Platform environment. Finally, ensure your Operational Contacts are kept up-to-date; see Your maintenance responsibilities for more details.

Your subscription to the Splunk Cloud Platform service is workload-based and is sized for resource capacity. By exception, you may be on an ingest-based subscription that is sized for data volume ingested. For more information, see Subscription types.

This document describes the features, capabilities, limitations, and constraints of the Splunk Cloud Platform service and our responsibilities to you as a Software as a Service provider. This document also notes your responsibilities as a subscriber to the service. Be sure to read the complete service description and the service terms and policies documents listed in the following section. If you have questions after reading any of this material, contact your Splunk sales representative.

Service terms and policies

The following links access important terms and policies documents that pertain to the Splunk Cloud Platform service. Be sure to read these documents to have a clear understanding of the service. If you have any questions, contact your Splunk sales representative.

Available regions and region differences

Splunk Cloud Platform is available in the following global regions for new stacks.

Service Component AWS regions Google Cloud regions
Victoria Experience US (Oregon, Virginia)

UK (London)
Europe (Dublin, Frankfurt, Milan, Paris)
Asia Pacific (Singapore, Sydney, Tokyo)
Canada (Central)

Not currently available
Classic Experience US (GovCloud US-West, GovCloud US-East)

Europe (Stockholm)
Asia Pacific (Mumbai, Seoul)

US (Iowa)

UK (London)
Europe (Belgium, Frankfurt)
Asia Pacific (Singapore, Sydney)
Canada (Montreal)

Admin Config Service (ACS) Available Available
View scheduled maintenance window via ACS and CMC Available, except GovCloud US-West and GovCloud US-East regions Available
Data Manager Available, except GovCloud US-West and GovCloud US-East regions Not currently available
Edge Processor solution US (Oregon, Virginia)

UK (London)
Europe (Dublin, Frankfurt, Paris)
Asia Pacific (Singapore, Sydney, Tokyo)
Canada (Central)

Not currently available
Ingest Processor US (Oregon, Virginia)

UK (London)
Europe (Dublin, Frankfurt)
Asia Pacific (Singapore, Sydney, Tokyo)
Canada (Central)

Not currently available
Federated search for Splunk Available Available
Federated search for Amazon S3 Available. Also available for FedRAMP Moderate and DoD IL5 in GovCloud US-West and GovCloud US-East regions. Not currently available
Ingest actions Available, filtering, masking and routing on customer-managed heavy forwarders or Splunk Cloud Platform environment Available, filtering and masking on customer-managed heavy forwarders or Splunk Cloud Platform environment (version 9.1.2312 and higher)
Splunk Secure Gateway Available, except GovCloud US-West and GovCloud US-East regions Available
Storage: Customer-managed encryption keys (Preview) Available Available, for DDAS
Splunk AI Assistant for SPL US (Oregon, Virginia)

UK (London)
Europe (Dublin, Frankfurt, Paris)
Asia Pacific (Singapore, Sydney, Tokyo)
Canada (Central)

Not currently available

Compliance and certifications

Splunk has attained a number of compliance attestations and certifications from industry-leading auditors as part of our commitment to adhere to industry standards worldwide and part of our efforts to safeguard customer data. The following compliance attestations/certifications are available:

  • SOC 2 Type II: Splunk Cloud Platform has an annual SOC 2 Type 2 audit report issued. The SOC 2 audit assesses an organization's security, availability, and confidentiality processes to provide assurance about the systems that a company uses to protect customers' data. If you require the SOC 2 Type 2 attestation to review, contact your Splunk sales representative to request it.
  • ISO 27001: Splunk Cloud Platform is ISO/IEC 27001:2013-certified. ISO/IEC 27001:2013 is a standard for an information security management system, specifying the policies and procedures for all legal, physical, and technical controls used by an organization to minimize risk to information. See https://www.splunk.com/pdfs/legal/splunk-ISO-27001-certificate.pdf to access a PDF version of the Splunk ISO 27001 certificate.

For information regarding the availability of service components between the AWS and Google Cloud regions, see Available regions and region differences.

If your data must be maintained in a regulated cloud environment to assist you with meeting your compliance needs, Splunk Cloud Platform provides these optional subscriptions. Not all features may be available in regulated cloud environments. Please see feature-specific Documentation for more details.

  • U.S. Department of Defense (DoD) Impact Level 5 (IL5): U.S. Defense Information Systems Agency (DISA) has granted the Splunk Cloud Platform U.S. Department of Defense (DoD) Impact Level 5 (IL5) Provisional Authorization (PA). U.S. Government agencies are now able to leverage the power of Splunk Cloud Platform to solve their challenging mission-critical problems, even when working with high sensitivity Controlled Unclassified Information (CUI). This subscription is available in the AWS GovCloud (US) regions, which are isolated regions designed to address specific regulatory and compliance requirements. Cryptographic modules used in the Splunk Cloud Platform FedRAMP offering are FIPS 140-2 validated encryption modules. For information about apps validated by FedRAMP, see FedRAMP Moderate, High, and DoD IL5 validated premium solutions and apps.
  • FedRAMP Moderate: Splunk Cloud Platform FedRAMP is authorized by the General Services Administration FedRAMP PMO at the Moderate Impact Level. Splunk Cloud Platform FedRAMP addresses the needs of the U.S. Government, State and Local customers, educational institutions, and commercial customers who seek FedRAMP authorized services, and allows them to run sensitive workloads in the cloud. This subscription is available in the AWS GovCloud region, which is an isolated region designed to address specific regulatory and compliance requirements. Cryptographic modules used in the Splunk Cloud FedRAMP offering are FIPS 140-2 validated encryption modules. For information about apps validated by FedRAMP, see FedRAMP Moderate, High, and DoD IL5 validated premium solutions and apps.
  • FedRAMP High: Splunk Cloud Platform FedRAMP High is authorized by the General Services Administration FedRAMP PMO at the High Impact level. Splunk Cloud Platform FedRAMP High addresses the needs of the U.S. government, Law Enforcement and Emergency Services agencies, and commercial customers who seek FedRAMP High authorized services, and allows them to run highly sensitive workloads in the cloud. This subscription is available in the AWS GovCloud (US) regions, which are isolated regions designed to address specific regulatory and compliance requirements. Cryptographic modules used in the Splunk Cloud FedRAMP High offering are FIPS 140-2 validated encryption modules. For information about apps validated for FedRAMP, see FedRAMP Moderate, High, and DoD IL5 validated premium solutions and apps.
  • Health Insurance Portability and Accountability Act (HIPAA): Splunk Cloud Platform (HIPAA) is compliant with the HIPAA Security Rule and HITECH Breach Notification Requirements. These regulations establish a standard for the security of any entity that accesses, processes, transmits, or stores electronic protected health information (ePHI).
  • Information Security Registered Assessors Program (IRAP): Splunk attests Splunk Cloud Platform against the PROTECT level of the IRAP standard. The IRAP standard allows the Commonwealth of Australia and commercial customers to run sensitive workloads by using an IRAP assessed Splunk Cloud Platform environment in Australia (AWS Sydney region).
  • Payment Card Industry Data Security Standard (PCI DSS): Splunk tests Splunk Cloud Platform for compliance with the PCI DSS v4.0 standard. This standard applies to any entity that processes, transmits, or stores payment card data as well as their critical service providers.

The table lists additional information for regulated cloud environments.

Subscription type Region availability Encryption at rest IP Allow List Certification documents
DoD IL5 GovCloud (US-West and US-East) Enabled by default. Splunk manages the encryption keys on your behalf and they are regularly rotated. You must provide IP allow list rules to access your Splunk Cloud Platform IL5 environment located in the splunkcloud.mil domain. Contact your Splunk sales representative to learn more about Splunk Cloud Platform IL5.
FedRAMP Moderate GovCloud (US-West and US-East) Enabled by default. Splunk manages the encryption keys on your behalf and they are regularly rotated. You must provide IP allow list rules to access your Splunk Cloud Platform FedRAMP environment located in the splunkcloudgc.com domain. If you are a Federal agency, request the Splunk Cloud Platform FedRAMP package from the FedRAMP Marketplace. Otherwise, contact your Splunk sales representative.
FedRAMP High GovCloud (US-West and US-East) Enabled by default. Splunk manages the encryption keys on your behalf and they are regularly rotated. You must provide IP allow list rules to access your Splunk Cloud Platform FedRAMP environment located in the splunkcloudfed.com domain. If you are a Federal agency, request the Splunk Cloud Platform FedRAMP package from the FedRAMP Marketplace. Otherwise, contact your Splunk sales representative.
HIPAA All AWS and Google Cloud regions. Enabled by default. Splunk manages the encryption keys on your behalf and they are regularly rotated. If available in your region, you have the option to manage the encryption keys instead. You must provide IP allow list rules to access your Splunk Cloud Platform HIPAA environment. If you require the HIPAA compliance report to review, contact your Splunk sales representative to request a copy.
IRAP AWS Sydney region Enabled by default. Splunk manages the encryption keys on your behalf and they are regularly rotated. Optionally, you can choose to manage the encryption keys. You must provide IP allow list rules to access your Splunk Cloud Platform IRAP environment. If you require the IRAP attestation of compliance to review, contact your Splunk sales representative to request a copy.
PCI DSS All AWS regions except GovCloud (US-West and US-East). All Google Cloud regions. Enabled by default. Splunk manages the encryption keys on your behalf and they are regularly rotated. If available in your region, you have the option to manage the encryption keys instead. You must provide IP allow list rules to access your Splunk Cloud Platform PCI DSS environment. If you require the PCI DSS attestation of compliance to review, contact your Splunk sales representative to request a copy.

Data collection

Splunk Cloud Platform provides software and APIs that enable you to ingest data from your applications, cloud services, servers, network devices, and sensors into the service.

Unless otherwise described in feature-specific Documentation, the following sections describe how you can send data to Splunk Cloud Platform.

Using Splunk forwarders

There are two types of forwarder software: universal forwarder and heavy forwarder. In most situations, the universal forwarder is the best forwarder for Splunk Cloud Platform since it includes the essential components that it needs to forward data, uses significantly fewer hardware resources and is inherently scalable. For certain use cases when data needs to be parsed prior to forwarding or data needs to be forwarded based on criteria such as source or type of event, a heavy forwarder is required. Your Splunk Cloud Platform subscription includes a deployment server license for centralized configuration management of your Splunk forwarders. You can request the deployment server license from Splunk support. Setup, enablement, transformation, and sending data from forwarders to your Splunk Cloud Platform environment is your responsibility. This means you are responsible for installing, configuring, and managing your forwarders, including maintaining version compatibility. You can leverage Ingest actions for routing, filtering and masking data while it is streamed to your Splunk Cloud Platform environment. For more information, see Supported forwarder versions. You are responsible for installing the data collection components of any app you wish to use in Splunk Cloud Platform on a Splunk forwarder.

As part of on-boarding to the service, Splunk will provide you the IP addresses that you will use to send data to Splunk Cloud Platform using forwarders. These IP addresses will remain constant and not change during your subscription period. If you increase your subscription level, you may receive additional IP addresses that you will utilize to send data. In the rare occurrence of an IP address change, Splunk will provide you with advanced notification. Most customers will be required to add these IP addresses to their outbound firewall rules to ensure their data is successfully forwarded to Splunk Cloud Platform. To simplify lifecycle management of your outbound firewall rules, Splunk requires that you use the actual IP addresses provided or the DNS mapping.

For more information about scripted and modular inputs, see Experience designations.

For more information, see Upload Data and Use the Ingest Actions page in the Getting Data In manual.

Using HTTP Event Collector (HEC)

HEC lets you send data and application events using a token-based authentication mode to Splunk Cloud Platform over the Secure HTTP (HTTPS) protocol. You can generate a token and then configure a logging library or HTTPS client with the token to send data to HEC in a specific format. HEC is enabled by default for your Splunk Cloud Platform environment with a 1 MB size limit on the maximum content length. You are responsible for setup, enablement, transformation, and sending data to your Splunk Cloud Platform environment via HEC. You are also responsible for monitoring and remediation of any HEC error codes that are received from Splunk Cloud Platform to ensure no interruption of your data ingestion. For more information, see the following:

Using AWS Kinesis Data Firehose

For Splunk Cloud Platform in AWS regions, there is an additional data collection option. AWS Kinesis Data Firehose is a fully managed, scalable, and serverless option for streaming data from various AWS services directly into Splunk Cloud Platform. Setup, enablement, transformation, and sending data to your Splunk Cloud Platform environment is your responsibility. If you choose to use the Kinesis Data Firehose service for data ingestion, you are responsible for enabling and configuring AWS Kinesis Data Firehose, and for paying AWS for this service. For more information, see Install and configure the Splunk Add-on for Amazon Kinesis Firehose on a Splunk Cloud Platform deployment in the Splunk Add-on for Amazon Kinesis Firehose manual.

Using the Edge Processor solution

The Edge Processor solution provides an intermediate forwarding tier for your Splunk forwarders, with centralized cloud-based control and configuration management. For certain use cases when data needs to be parsed prior to forwarding or data needs to be forwarded based on criteria such as source or type of event, the Edge Processor solution is a potential alternative to using heavy forwarder. Additionally, the Edge Processor solution provides filtering, masking, and routing functionality. For more information, see About the Edge Processor solution.

Using Ingest Processor

Ingest Processor is a data processing solution that works within your Splunk Cloud Platform deployment. Use the Ingest Processor to configure data flows, control data format, apply transformation rules, log metricization prior to indexing, and route to destinations.

The Ingest Processor solution is suitable for Splunk Cloud Platform administrators who use forwarders or HTTP Event Collector (HEC) to get data into their deployments.

You can easily deploy and use Ingest Processor since it does not require any additional infrastructure in your Splunk Cloud Platform environment. Ingest Processor will seamlessly scale and adjust your infrastructure resources according to your organization's needs. The Ingest Processor solution also lets you manage your data processing configurations and monitor your data ingest traffic through a centralized Splunk Cloud service. For more information, see About Ingest Processor.

Additional information about data collection

Data compression

Forwarders and HTTP Event Collectors compress data when sending over TLS protocol. The amount of compression varies based on the content, generally at a ratio between 8:1 and 12:1.

Encryption in transit

For security, data in transit is TLS 1.2+ encrypted. Senders and receivers authorize each other, and HTTP-based data collection is secured using token-based authentication.

For Splunk hybrid solutions with on-premises components, data in transit between those on-premises components is encrypted only if the connections are configured to be encrypted.

IP allow list

Unless otherwise described in feature-specific Documentation, you can restrict data collection from only allowed IP addresses by using the Admin Config Service (ACS). If you do not have access to ACS in your Splunk Cloud Platform region, you can file a support ticket for Splunk to assist you with this task. For more information about ACS, see Configure IP allow lists for Splunk Cloud Platform.

Differences between Splunk Cloud Platform and Splunk Enterprise

Customers who are familiar with Splunk Enterprise architecture should not make assumptions about the architecture or operational aspects of Splunk software deployed in a customer-managed manner compared to the Splunk Cloud Platform service. The table lists the ways that Splunk Cloud Platform differs from Splunk Enterprise.

Area Difference
Apps To ensure security and minimize effects on performance, only vetted and compatible apps can run on Splunk Cloud Platform. The app browser in Splunk Web or Splunkbase lists vetted and compatible Splunk Cloud Platform apps. You can install some apps directly through the app browser (self-service installation). When an app cannot be self-installed, including for an IDM, you must open a support ticket and Splunk Support will install the app on your behalf.

Your private apps can also be self-service installed. During the private app installation, Splunk automatically validates your private app for Splunk Cloud Platform. Issues identified by automated validation must be remediated. You can install private apps without the need for manual validation and you must acknowledge the Splunk General Terms regarding potential impact of unremedied issues to your Splunk Cloud Platform environment.

Command-line interface (CLI) access Splunk Cloud Platform does not allow direct access to infrastructure by customers. As a result, you do not have CLI access to Splunk Cloud Platform. Any supported task that requires CLI access is performed by the self-service capabilities of Splunk or by filing a service ticket.
Data integrity control Splunk Cloud Platform exclusively leverages SmartStore and SmartStore-enabled indexes are not compatible with the data integrity control feature. Splunk Cloud Platform inherits the Cloud Service Provider (CSP) storage layer integrity characteristics.
Direct TCP, UDP, file, and syslog inputs Splunk Cloud Platform does not accept these types of data directly. For Splunk Cloud Platform to receive data sources such as TCP, UDP, file, and syslog, you must use Splunk forwarder software as an agent to send data to Splunk Cloud Platform. This helps ensure reliable, managed, fault-tolerant delivery of your data into Splunk Cloud Platform.
Direct TCP, UDP, file, and syslog outputs Splunk Cloud Platform does not accept unencrypted outputs at the search head tier, and does not support outputs of any kind at the indexer tier, including custom search commands, such as cefout (bundled with Splunk App for CEF). This helps ensure reliable and fault-tolerant performance of your Splunk Cloud Platform environment.
Dynamic Data Active Archive Dynamic Data Active Archive (DDAA) is only available in Splunk Cloud Platform and it is an optional subscription. DDAA offers a lower cost option for long term storage of your ingested data.
Export of your ingested data to Amazon S3 or Google Cloud Storage using Dynamic Data Self-Storage Dynamic Data Self-Storage is only available in Splunk Cloud Platform.
Federated search for Amazon S3 Federated search for Amazon S3 is available only to users of Splunk Cloud Platform on AWS and is an optional Add-On subscription. Federated search for Amazon S3 lets you search data from your Amazon S3 buckets from your Splunk Cloud Platform deployment without needing to ingest or index it first.
Indexer Discovery Indexer Discovery is not supported in Splunk Cloud Platform. This applies to both HEC and forwarders.
License pooling and exceeding purchased daily index volume Splunk Cloud Platform does not support licensing pooling. In addition, you can exceed your purchased daily index volume a maximum of five times in a calendar month. For more information, review the data ingestion and daily license usage policy in Data policies in the "Subscription types" section.
Monitoring console The Cloud Monitoring Console (CMC) app is included in your Splunk Cloud Platform environment. CMC replaces the Monitoring Console that is used in Splunk Enterprise. You use CMC to holistically monitor the data consumption and health of your Splunk Cloud Platform environment.
Multifactor authentication While Splunk Enterprise has built-in support for multifactor authentication such as Duo and RSA, Splunk Cloud Platform does not support these methods of authentication. To use multifactor authentication for your Splunk Cloud Platform user accounts, you must configure a SAML v2 identity provider that supports multifactor authentication.
Native alerts Splunk Cloud Platform does not provide system-level access. This means you cannot define alerts that run operating-system scripts or use other system services (although vetted and compatible apps can do so). Alerts can be sent by email or HTTPS POST using Splunk software webhooks. You might be required to set up an endpoint inside your network. If you have both Splunk Enterprise and Splunk Cloud Platform, you can run an on-premises search head to support searches that require alert actions. For more information, see Set up an Adaptive Response relay in the Administer Splunk Enterprise Security Manual.
Real-time search In Splunk Cloud Platform on Victoria Experience, real-time searches are enabled by default. In Splunk Cloud Platform on Classic Experience, you open a support ticket to enable real-time search. Note that real-time searches are resource intensive and can impact the overall health and performance of your searches.
REST API Differences in implementation details between Splunk Cloud Platform and Enterprise plus permissions for the sc_admin role impact REST API access. In Splunk Cloud Platform, you open a support ticket to enable REST API access. In addition, Splunk Cloud Platform supports a subset of the REST API endpoints available in Splunk Enterprise. For more information, see Access requirements and limitations for the Splunk Cloud Platform REST API in Splunk Cloud Platform REST API Tutorials.
Scripted and Modular Inputs For more information, see Experience designations.
Search performance Splunk Cloud Platform leverages a multi-tier storage architecture and manages the movement of data to optimize performance based on user search patterns. Generally, recently processed data (recently ingested, searched, analyzed for machine learning, and so on) will have better performance than data that has not been processed for some time. This behavior applies to all data, including metrics data.
sc_admin role For the customer's administrator users, Splunk Cloud Platform provides the sc_admin role, which has sufficient capabilities to administer Splunk Cloud Platform. You can use the Splunk Cloud Platform sc_admin role for your administrator to perform self-service tasks such as installing apps, creating and managing indexes, and managing users and their passwords.
System user roles Your Splunk Cloud Platform environment comes with predefined system roles and system users that are used by Splunk to perform essential monitoring and maintenance activities. You should not delete or modify these system users or roles.
Workload Management Splunk Cloud Platform provides pre-configured workload pools for your use. For details, see Workload Management overview in the Splunk Cloud Platform Admin Manual.

Experience designations

Your Splunk Cloud Platform environment has one of two possible Experience designations: Victoria or Classic. To locate your Splunk Cloud Platform Experience designation in Splunk Web, see Determine your Splunk Cloud Platform Experience in the Splunk Cloud Platform Admin Manual. In the medium term, all customers will move to the Victoria Experience.

Victoria Experience and Classic Experience provide nearly identical capabilities and service limits, with the following exceptions. You can use this list as guidance to ensure the best Splunk Cloud Platform experience. Keep in mind that some limits depend on a combination of configuration, system load, performance, and available resources. Contact your Splunk representative if your requirements are different.

Capability Victoria Experience Classic Experience
Admin Config Service (ACS) See Admin Config Service (ACS) requirements and compatibility matrix. See Admin Config Service (ACS) requirements and compatibility matrix.
Hybrid search Not supported. Customers must use federated search for Splunk. Hybrid search end of support has been announced. Customers must migrate to federated search for Splunk before October 31st, 2024.
Indexer Acknowledgement Indexer Acknowledgement is supported with S2S (Splunk-to-Splunk).

Indexer acknowledgment in HEC is supported only with specific clients (AWS Firehose).

Indexer Acknowledgement is supported with S2S (Splunk-to-Splunk).

Indexer acknowledgment in HEC is supported only with specific clients (AWS Firehose).

Ingest Processor Supported Not Supported
Inputs Data Manager (IDM) Not applicable. See the next row, "Modular and scripted inputs". When you require an app installed on the IDM, open a support ticket and Splunk Support will install the app on your behalf.

For more information about the IDM, see Splunk Cloud Platform features in the Splunk Cloud Platform Admin Manual.

Modular and scripted inputs Modular and scripted inputs can now run directly on the search tier without the additional overhead of a separate IDM instance.

Review pull based service limits below:
Up to 500GB/day for entitlement of less than 166 SVC or 1 TB
Up to 1.5TB/day for more than 166 SVC or 1 TB

Modular and scripted inputs must run on a separate IDM instance or customer-managed heavy forwarder.
Private connectivity Supported across all subscription types (SOC2, PCI, HIPAA, IRAP) Supported in GovCloud regions (FedRAMP Moderate or FedRAMP High subscription)
Self-Service App Installation (SSAI) Support self-service app installation for public apps available on Splunkbase and for apps used with premium solutions such as ES and ITSI.

These SSAI apps are installed across all search heads in Victoria Experience, including Premium search heads.

Depending on the nature of the Splunkbase apps, you may be able to self-install because they have been marked so, or you may need to open a support ticket to install. For apps used with premium solutions such as ES and ITSI, all app installations are assisted installs.

If your environment was deployed on the Classic Experience, you will be converted to the Victoria Experience when Splunk determines you have satisfied the readiness prerequisites. The conversion is initiated by Splunk and does not require any engagement with Splunk Professional Services.

FedRAMP Moderate, FedRAMP High, and DoD IL5 validated premium solutions and apps

Splunkbase is the system of record for app vetting and compatibility with Splunk Cloud Platform. Any app that is listed as compatible with Splunk Cloud Platform can be installed, inclusive of FedRAMP Moderate, FedRAMP High, and DoD IL5. The following premium solutions and apps have been validated to operate in compliance with FedRAMP Moderate, FedRAMP High, and DoD IL5. Other premium solution subscriptions not listed have not been deemed applicable to Splunk Cloud Platform FedRAMP Moderate, FedRAMP High, and DoD IL5. Deploying unvalidated premium solutions may impact the compliance of the Splunk Cloud Platform FedRAMP Moderate, FedRAMP High, and DoD IL5 environment. For other apps that fall outside of these criteria you accept the responsibility and associated risk posture.

Type Name Splunkbase ID
Premium solutions (requires subscription)
Splunk Enterprise Security (ES)

Splunk IT Service Intelligence (ITSI)
Splunk App for PCI Compliance

263

1841
2897

Apps and add-ons Splunkbase has the most up to date list of FedRAMP Moderate, FedRAMP High, and DoD IL5 validated apps and add-ons. To review the list, see https://classic.splunkbase.splunk.com/apps/#/product/all/validation/fedramp_validation N/A

Ingestion

The amount of data that your Splunk Cloud Platform environment can collect daily is determined by your subscription type. A workload-based subscription is sized for resource capacity and does not meter ingestion. An ingest-based subscription meters ingestion to your subscription entitlement and you can always choose a higher-level ingest-based subscription to increase the amount of data that you can collect. You can see current and past daily data ingestion information using the Cloud Monitoring Console (CMC) app that is included with your Splunk Cloud Platform environment. If you consistently exceed your subscription entitlement, contact Splunk Sales to purchase an appropriate ingest-based subscription plan to handle your volume.

During ingestion, Splunk Cloud Platform indexes incoming data so you can search it. During indexing, data is partitioned into logical indexes, which you can configure to facilitate searching and control users' access to data. Splunk Cloud Platform allows you to self-service manage your indexes across multiple tasks such as the following:

  • Creating, updating, deleting, and viewing properties of indexes
  • Modifying the retention settings for individual indexes
  • Deleting data from indexes
  • Optimizing search performance by managing the number of indexes and the data sources that are stored in specific indexes

See also

For more information about See
Limits on data collection Data policies in the Subscription types section
Best practices for creating indexes Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual
Service limits relating to indexes Service limits and constraints

Maintenance

Unless otherwise denoted in feature-specific Documentation, Splunk manages and updates the Splunk Cloud Platform service uniformly, so all customers of Splunk Cloud Platform receive the most current features and functionality. This section describes the maintenance responsibilities handled by Splunk or you, the customer.

Splunk maintenance responsibilities

The following sections describe the maintenance responsibilities and tasks that Splunk does on your behalf.

Gets you started

When you first subscribe to Splunk Cloud Platform, Splunk sends you a welcome email containing the information required for you to access your Splunk Cloud Platform deployment and get started. This email contains a lot of important details, so keep it handy.

Assists you with supported tasks

Splunk Cloud Platform enables you to customize user, index, and app management through Splunk Web. However, there are features in Splunk Cloud Platform that require assistance from Splunk to activate or make changes to your configurations, such as real-time search and enabling AWS Kinesis Data Firehose data to be received. When you file a support ticket, Splunk will enable such features on your behalf. For these types of customer-initiated changes, it is performed per customer necessity and the customer contact in the Support Case will receive notice of customer-initiated changes once the work is scheduled. During these types of customer-initiated changes, ingest and search services are available but degraded. In most cases, login will be impacted for no more than 10 minutes. You will receive email notices when such maintenance is starting and when it is complete.

Upgrades your software and expands your subscriptions

By default, you will receive the most current version of Splunk Cloud Platform compatible with your Premium App subscriptions as Splunk-initiated Service Updates. See Current Splunk Cloud Platform and Premium App versions in the Supported versions section of this service description. If you are on a prior version of Splunk Cloud Platform and Premium App subscriptions, you will be upgraded when Splunk determines you have satisfied the Service Update readiness prerequisites or to maintain compatibility with your Premium App subscription. As Splunk releases new versions of Splunk Cloud Platform and Premium Apps, you will be notified by Splunk of the upcoming maintenance window.

Note the following operational information regarding Splunk-initiated maintenance windows:

  • You can view your maintenance window in ACS and CMC. See View maintenance windows for Splunk Cloud Platform in the Admin Config Service Manual and Review the upcoming maintenance window timeline in the Splunk Cloud Platform Admin Manual.
  • Splunk will take no more than two maintenance windows for Service Updates and/or Routine Maintenance changes per calendar month.
  • If requested at least 72-hours prior to the scheduled maintenance window, Splunk will make commercially reasonable efforts to honor change requests.
  • Splunk will notify your Operational Contacts at least 14 days in advance for Service Updates and Routine Maintenance. Operational Contacts will not receive maintenance window start and stop communications.
  • Our communications will provide specifics whether any service will be degraded or unavailable plus updates to data ingestion mechanisms and applications required to be performed by you. In certain maintenance situations, data egress of Dynamic Data Self-Storage will be paused during the maintenance window.
  • If your Service Update or Routine Maintenance window extends, Splunk will notify you of the extension.
  • Emergency Maintenance is performed in circumstances that require immediate attention. We expect these Emergency Maintenance windows to be rare and by its very nature not scheduled. Splunk will make commercially reasonable efforts to notify customer Operational Contacts. Our communications will provide specifics about any required customer actions, such as updates to data ingestion mechanisms or applications.
  • Change Freeze requests cannot be made for emergency maintenance or routine maintenance, and Splunk may override any previously approved Change Freeze requests to perform such maintenance.
  • Change Freeze requests will only be considered for customer Splunk Cloud Platform environments on a version released within the last 12 months.

In addition, we will enhance Splunk Cloud Platform on your behalf, such as increasing the amount of your daily ingestion, adding storage, enabling Premium App subscriptions and Encryption at Rest to Splunk-hosted environments (if applicable).

With Zero Downtime Maintenance, certain operations will be done without a maintenance window:

  • Zero Downtime Maintenance operations are performed in the background and will have a minimal impact on data ingestion, login, search, UI, or access to data while the maintenance is in progress.
  • Transient error messages may appear on the Splunk user interfaces
  • Login sessions will be maintained
  • Searches will continue to run and complete throughout Splunk service update
  • These operations are not communicated in advance. A historical record upon completion of these changes will be available in CMC and can be viewed through ACS.
  • Zero downtime Maintenance will honor Change Freeze, unless they are classified as Emergency Maintenance

Ensures Splunk Cloud Platform uptime and security

Splunk continuously monitors the status of your Splunk Cloud Platform environment to help ensure uptime and availability. See the Monitoring section. We look at various health and performance variables such as the ability to log in, ingest data, access Splunk Web and perform searches. Splunk maintains the following:

  • A rolling 30-day history of health and utilization data to help ensure uptime and assist troubleshooting of your Splunk Cloud Platform.
  • A rolling 7-day daily backup of your ingested data and configuration files to ensure data durability. Note that the backups are accessible only by Splunk and at their discretion to leverage as situation dictates.
  • The encryption keys when you purchase an encryption at rest subscription. See the Data retention section in Storage.

See also the information in the Users and Authentication section regarding the Splunk Admin and system user roles, and the certification of Splunk Cloud Platform by independent third-party auditors to meet SOC2 Type II and ISO 27001 security standards.

Your maintenance responsibilities

The following section describes your maintenance responsibilities and tasks.

Keep Operational Contacts up-to-date

Ensure that the Operational Contacts listed in your Splunk.com support portal are accurate and updated as necessary. Operational Contacts are notified when your Splunk Cloud Platform environment undergoes maintenance, requires configuration awareness, or experiences a performance-impacting event. These contacts will receive regular notifications of planned and unplanned downtime, including scheduled maintenance window alerts and email updates related to incident-triggered cases.

For more information, see the Splunk Cloud Platform Maintenance Policy in the Service terms and polices section.

Review Splunk Cloud Platform documentation

Splunk will notify your Operational Contacts at least 14 days in advance for Service Updates and Routine Maintenance. To ensure your Splunk Cloud Platform environment and your team are ready, review the following sections in the Splunk Cloud Platform Release Notes prior to the maintenance:

For additional questions around maintenance on your instance, please reach out to your account and/or sales team or Splunk Support.

Monitoring

Splunk utilizes multiple approaches to provide comprehensive monitoring for the Splunk Cloud Platform (SCP). Splunk continuously monitors the status and performance of each SCP environment to ensure the customer experience meets expectations.

Splunk uses bottom up monitoring to establish predefined alerts to trigger when certain conditions are reached or computational thresholds are exceeded. This allows Splunk to alert its support teams based on known values which translate to degraded performance or the unavailability of a service.

Splunk also uses a top down approach to monitor broader aspects of your deployment, such as login, search, ingest, indexing, and Admin Config Service (ACS) in order to proactively detect and remediate issues.

Splunk Cloud Platform uses these approaches to monitor several health and performance variables, including but not limited to the customer experience of the following:

  • Successful login to SCP (non-SAML)
  • Successful completion of ad-hoc searches
  • Successful completion of federated searches
  • Successful ingestion of data
  • Latency of indexing
  • The customer experience of scheduled searches executing on time

The customer experience of login, search, ingest, indexing, and ACS is monitored via Service Level Indicators (SLIs). The information gleaned from these SLIs does not represent a specific root cause, but rather that something isn't quite right. This approach to broad coverage allows Splunk to detect problems where prescribed alerts likely do not exist.

Bottom up alerting is used to cover known conditions that would impact service performance and availability. Thresholds for these conditions are set, and when they are exceeded, a respective alert is generated.

Network connectivity and data transfer

You access your Splunk Cloud Platform environment via public endpoints, except for DoD IL5 environments. By default, for both Splunk Web access and sending your data, traffic from your network is encrypted, sent over the public internet and then routed to your Splunk Cloud Platform environment in a Virtual Private Cloud (VPC). If you choose to use private connectivity instead of the public internet to access Splunk Web and send your data, you are responsible for ensuring connectivity between your users or data sources and the Splunk Cloud Platform public endpoints. These public endpoints are protected using firewall rules and customers can also specify additional access control rules using their IP allow list. See the Service limits and constraints section for the maximum number of customer-defined rules.

Splunk offers a private connectivity solution to secure your ingest data and search from traversing over the public internet - through AWS PrivateLink. If you choose to use private connectivity instead of the public internet to send your data, you are responsible for ensuring connectivity between your users or data sources and the Splunk Cloud Platform. See the About private connectivity in Securing Splunk Cloud Platform for more information. Please review Private connectivity under Experience designation for more information regarding which subscriptions are supported.

You can restrict data collection from only allowed IP addresses by using the Admin Config Service (ACS). If you do not have access to ACS in your Splunk Cloud Platform region, you can file a support ticket for Splunk to assist you with this task. For more information about ACS, see Configure IP allow list for Splunk Cloud Platform. For any regulated Splunk Cloud Platform environments such as HIPAA and PCI DSS, you must specify at least one address for the IP allow list.

In addition, forwarders and HTTP Event Collectors compress data when sending over TLS protocol. The amount of compression varies based on the content. For bandwidth planning, assume a compression ratio between 8:1 and 12:1.

If you are using optional AWS and Google Cloud services or your own managed version of private connectivity to reduce your overall network costs and increase bandwidth throughput, such as Dynamic Data Self-Storage to export your aged ingested data to your Amazon S3 or Google Cloud Storage account or AWS Kinesis Data Firehose service for data ingestion, note the following:

  • You are responsible for setup, configuration, and operation of these optional AWS and Google Cloud services and resources, and any associated payments to AWS and Google Cloud.
  • You are responsible for ensuring connectivity between your users or data sources and the Splunk Cloud Platform public endpoints. Splunk Cloud Platform also does not provide a virtual gateway for data ingestion purposes.
  • These optional AWS and Google Cloud services or resources may not be available in all Splunk Cloud Platform regions. See Available regions and region differences for the regions Splunk Cloud Platform supports and also refer to the respective AWS and Google Cloud documentation for more information.

Performance considerations

Splunk Cloud Platform workload-based subscription provisions the Splunk Virtual Compute (SVC) entitlement up to your subscription level. Workload-based subscriptions do not meter ingestion. You can increase ingest and/or search load and operate the service to your desired performance objective until the SVC entitlement of your subscription reaches full utilization. As necessary, you can purchase additional SVC to increase ingest and search load or to improve performance.

Splunk Cloud Platform ingest-based subscription plan is provisioned with adequate compute capacity. Because search workloads can vary considerably, subscription plans with peak daily ingest of 1000 GB and greater are guaranteed allocation of Splunk Virtual Compute as defined below.

A Splunk Virtual Compute (SVC) is a unit of capabilities in Splunk Cloud Platform that includes compute, memory, and I/O resources. SVCs are allocated to your subscription plan based on your average daily ingest-based subscription, up to the maximum of 1 SVC for every 10 GB of licensed peak daily ingest. Purchase of Splunk Enterprise Security (ES) Premium Solution provides incremental SVC allocation of 1 SVC for every 20 GB of licensed peak daily ingest. Purchase of Splunk IT Service Intelligence (ITSI) Premium Solution provides incremental SVC allocation of 1 SVC for every 20 GB of licensed peak daily ingest. The ratio of allocated SVC to licensed peak daily ingest level is subject to change with the evolving infrastructure and architecture of the service. Splunk Cloud Platform establishes SVC performance using a Splunk Search Benchmark to ensure that new ratios continue to provide the same or better levels of performance.

Search

Splunk Cloud Platform allows you to search and navigate all of the machine data that you ingest into the service. Searches can be done using the Splunk Search Processing Language (SPL), or using alternative ways to display and analyze data graphically without composing SPL queries. Searches can be ad hoc and scheduled, with results in the form of visualizations, reports, and alerts.

If you enable Dynamic Data Self-Storage to export your aged ingested data prior to deletion, any data moved from these indexes to your AWS S3 or Google Cloud Storage account will no longer be searchable by Splunk Cloud Platform. If you augment Splunk Cloud Platform with Dynamic Data Active Archive (DDAA), restored DDAA data is searchable within 24 hours of it being restored and is searchable for up to 30 days.

In Splunk Cloud Platform, real-time search is enabled by default on Victoria Experience, or you open a support ticket to enable real-time search in Classic Experience. Note that real-time searches are resource-intensive and can impact the overall health and performance of your searches.

You can review the health and performance of your search using the Cloud Monitoring Console (CMC) app that is included in your Splunk Cloud Platform environment. CMC shows information such as long running searches, skipped scheduled searches, and average search run time.

Splunk Cloud Platform has service limits related to search, such as the maximum number of concurrent searches. This service limit and others are listed in the Service limits and constraints section.

See also the note about federated search for Splunk limitations in Compliance and certifications and Experience designations.

Federated search for Splunk

Federated search for Splunk allows you to search datasets outside of your local Splunk platform deployment. From your local search head, federated search gives you a holistic view of datasets across multiple Splunk platform deployments. The table lists conditions and limitations that apply to federated search for Splunk. For more information, see About Federated Search for Splunk.

The table lists the conditions and limitations that apply to federated search for Splunk.

Category Supported Limitation
Compliance Splunk Cloud Platform SOC2 environments are supported.

Splunk Cloud Platform HIPAA, IRAP, PCI DSS, FedRAMP Moderate, FedRAMP High, and DoD IL5 environments are supported.

Federated Provider Mode Standard mode is enabled by default.

Transparent mode is enabled by default in 8.2.2109.

Federated Search for Splunk Topology You can initiate searches from a Splunk Cloud Platform environment to one or more Splunk Cloud Platform environments.

You can initiate searches from a Splunk Enterprise environment to a single or multiple Splunk Cloud Platform environments.

You can initiate searches from a Splunk Cloud Platform environment to a Splunk Enterprise environment.

For DoD IL5, only searches from a Splunk Enterprise environment to a single or multiple Splunk Cloud Platform IL5 environment is supported. No other Federated Search for Splunk topology is supported.

Splunk doesn't support Federated Search from Splunk Cloud Platform to Splunk Enterprise in Transparent Mode

Region Support Search from AWS regions to Splunk on-premises is supported. This includes FedRAMP Moderate and FedRAMP High subscriptions in AWS GovCloud regions. Search from Google Cloud regions to Splunk on-premises is not supported.

Search from DoD IL5 subscriptions in AWS GovCloud regions to Splunk on-premises is not supported.

Search Concurrency Your Splunk Cloud Platform search concurrency limits apply to searches initiated either from the local or remote Splunk Cloud Platform search tier. For more information, see Service limits and constraints.
Search Tier Architecture Any combination of search tier architecture is supported.
Search Types Ad hoc and scheduled searches are supported.

datamodel and tstats are supported with transparent mode and supported in standard mode when you are searching a federated index that is mapped to a data model dataset.

Splunk Cloud Platform and Splunk Enterprise Version Compatibility For Cloud to Cloud in AWS regions: Splunk Cloud Platform 9.0+ is highly recommended to ensure compatibility and supportability.

For on-premises to Cloud in AWS regions: Splunk Enterprise 9.0+ and Splunk Cloud Platform 9.0+ is highly recommended to ensure compatibility and supportability.

For Cloud in AWS regions to on-premises: Splunk Enterprise 9.0+ and Splunk Cloud Platform 9.0+ is highly recommended to ensure compatibility and supportability.

For Cloud to Cloud in Google Cloud regions, HIPAA, PCI, and IRAP: Splunk Cloud Platform 9.0+ is highly recommended to ensure compatibility and supportability.

For on-premises to Cloud in Google Cloud regions: Splunk Enterprise 9.0+ and Splunk Cloud Platform 9.0+ is highly recommended to ensure compatibility and supportability.

Federated search for Amazon S3

Federated search for Amazon S3 is a feature that enables you to search data in Amazon S3 without having to ingest that data into your Splunk Cloud Platform environment. When you use federated search for Amazon S3 you run searches utilizing AWS Glue Data Catalog tables that represent the data in your Amazon S3 buckets. For more information, see About Federated Search for Splunk.

Federated search for Amazon S3 is designed for low-frequency, ad-hoc search of historical data stored in Amazon S3 leveraging the benefits in terms of cost, compliance and scalability that this service provides.

Contact your Splunk sales representative to activate federated search for Amazon S3 on your Splunk Cloud Platform environment. When you do this you will acquire a data scan entitlement that is based on the volume of Amazon S3 data on disk (in terabytes) you are projected to scan over the upcoming year to date. You can track your usage against your entitlement through a Federated Search for Amazon S3 dashboard in the Cloud Monitoring Console.

To use federated search for Amazon S3, you must have the following:

  • A Splunk Cloud Platform environment on version 9.0.2305 or higher. Your Splunk Cloud Platform environment must be in an AWS region. Splunk Cloud Platform environments in Google Cloud regions are not supported. FedRAMP Moderate and DOD IL5 environments are supported. Splunk Cloud Platform FedRAMP High environments are not supported.
  • Existing Amazon S3 buckets with data that you want to search. Federated Search for Amazon S3 supports data originating from Edge Processors, Ingest Actions, and Ingest Processor. Federated Search for Amazon S3 does not currently support reading data from Dynamic Data Self-Storage or Dynamic Data Active Archive format.
  • Permissions to modify access policies for Amazon S3 buckets and AWS Glue Data Catalog tables and databases in your AWS account.

Hybrid search

This feature will no longer be supported after October 31st, 2024. Ensure that you migrate to Federated Search before this date to avoid interruptions. For instructions on how to migrate, see Migrate from hybrid search to Federated Search for Splunk in the Federated Search manual.

To examine data in Splunk Cloud Platform and your on-premises deployment of Splunk Enterprise in a single search, you can configure a Splunk Enterprise search head to connect to a Splunk Cloud Platform indexer cluster. This configuration is called hybrid search.

The table lists the conditions and limitations that apply to hybrid search.

Category Supported Limitation
Hybrid Search Head Architecture Single hybrid Search Head for ad hoc searches. Splunk Cloud Platform does not support hybrid search head cluster configurations of any kind.
Hybrid Search Topology You can initiate searches from an on-premises Splunk Enterprise search head to a single Splunk Cloud Platform deployment.

You cannot initiate searches from an on-premises Splunk Enterprise search head to multiple Splunk Cloud Platform environments.

You cannot install a Splunk Premium Solution on a hybrid search head. However, you can run a hybrid search against a Splunk Cloud Platform environment that includes a premium solution, as long as the hybrid search head running the hybrid search complies with all necessary conditions and limitations. For more information about optional and compatible premium solutions that you can add to your subscription, see Splunk premium solutions.

You cannot initiate searches from a Splunk Cloud Platform search head to an on-premises Splunk Enterprise environment.

You cannot initiate searches from a Splunk Cloud Platform search head to another Splunk Cloud Platform environment.

Premium Solution Hybrid search is not available for use with any Splunk premium solution. For a list of available premium solutions, see Splunk premium solutions.
Search Concurrency Your Splunk Cloud Platform search concurrency limits apply to searches initiated either from the Cloud search tier or from on-premises hybrid search heads. For more information, see Service limits and constraints.
Search Types Ad hoc search is supported. Scheduled search is not supported from a hybrid search head. If a scheduled search is enabled and deemed to be causing performance issues, the remediation is to disable schedule search.
Splunk Version Compatibility See Supported hybrid search versions in the Supported versions section.

See also

For more information about See
Splunk Search Processing Language Get started with Search in the Splunk Cloud Platform Search Manual
Dynamic Data Active Archive Store expired Splunk Cloud Platform data to a Splunk-managed archive
Dynamic Data Self-Storage Store expired Splunk Cloud Platform data to your private archive
Cloud Monitoring Console Monitor your Splunk Cloud Platform Deployment in the Splunk Cloud Platform Admin Manual
Hybrid search Configure hybrid search in the Splunk Cloud Platform Admin Manual
Federated search Overview of the federated search options for the Splunk platform in the Splunk Cloud Platform Federated Search manual.

Security

The security and privacy of your data is of the utmost importance to you and your organization, and Splunk makes this a top priority. Splunk Cloud Platform service is designed and delivered using key security controls described in the following sections.

App security

All Splunk apps hosted on Splunk Cloud Platform by Splunk are examined by Splunk engineers to ensure that they comply with the Vet apps and add-ons for Splunk Cloud Platform. Splunk Cloud Platform vetting provides a set of best practices for app developers. For details about how to submit an app for evaluation for Splunk Cloud Platform readiness, see the Splunk Developer web page.

Data encryption

All data in transit to and from Splunk Cloud Platform is TLS 1.2+ encrypted. To encrypt data at rest, you can purchase AES 256-bit encryption for Splunk-hosted environments for an additional charge. Keys are rotated regularly and monitored continuously.

Data handling

You can store your data in one of the available AWS or GCP regions. See Available regions and region differences for global regions supported in the Splunk Cloud Platform service.

Data is kept in the region you choose. If you need to store your data in more than one region, you can purchase multiple subscriptions. Data is retained in Splunk Cloud Platform according to the volumes, durations, and index configurations you set. Expired data is deleted based on your pre-determined schedule.

For the purposes of disaster recovery, your configuration and recently-ingested data is backed up on a rolling seven-day window. If you require your ingested data to be moved into your control before the termination of your subscription, this is accomplished through a Splunk Professional Services engagement. Some data can be moved into your control by enabling Dynamic Data Self-Storage to export your aged data to your Amazon S3 or Google Cloud Storage account in the same region. Note that Dynamic Data Self-Storage does not export your configuration data. Depending on the amount of data and the work involved, we may charge for this service. For more information on Splunk Cloud Platform data management, see Review Splunk Cloud Platform data policies and also Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual.

Instance security

Every Splunk Cloud Platform deployment runs in a secured environment on a stable operating system and in a network that is hardened to industry standards using a default-deny firewall policy, which permits access only to specific IP addresses and services. Your deployment is regularly scanned for host- and application-level threats.

Isolation of data and service

In the cloud, your data is logically isolated from other customers' data, so your performance and data integrity cannot be affected by other customers who are using the Splunk Cloud Platform service.

Security controls and background screening

Splunk security controls are described in our most recent Service Organization Control II, Type II Report (SOC 2/Type 2 Report). For more information about regions for which Splunk does not have SOC2 controls in place, see the Splunk Cloud Platform Security Addendum. Splunk conducts criminal background checks on its employees prior to hire, as permitted by law.

User authentication and access

You can configure authentication using Lightweight Directory Access Protocol (LDAP), Active Directory (AD), and single sign-on using any SAML v2 identity provider. To control what your Splunk Cloud Platform users can do, you assign them roles that have a defined set of specific capabilities. Splunk Cloud Platform enables you to configure account policies that require unique user names, minimum password length, and regular password resets with supported SAML v2 identify providers and LDAP. To enable multifactor authentication, customers must configure a SAML v2 identity provider that supports multifactor authentication. Only SHA-256 signatures in the SAML message between your IdP and Splunk Cloud Platform are supported.

If authentication and access methods for a feature differ from the above, it will be documented in the feature-specific Documentation.

See also

For more information about See
Splunk data privacy, security and compliance Splunk Protects
Availability of service components between the AWS and Google Cloud regions Available regions and region differences

Self-service capabilities

The table lists common Splunk Cloud Platform self-service tasks. For more information regarding these self-service tasks, refer to the respective Splunk Cloud Platform manual.

Area Example tasks Interface
Data Collection Forwarder Management

HEC Configuration

Splunk Web

Admin Config Service
Splunk Web

Health Monitoring Search performance

Active users
Ingestion volume

Cloud Monitoring Console
Ingestion Index Management Admin Config Service

Splunk Web

Network Connectivity and Data Transfer IP Allow List management


Outbound port management

Private connectivity

Export expired data

Admin Config Service

Splunk Web

Admin Config Service

Admin Config Service

Splunk Web

Search Search Configuration

Workload Management

Search Concurrency Limits

Splunk Web

Splunk Web

Splunk Web

Splunkbase and private app Installation and updates Admin Config Service

Splunk Web

Subscription entitlement and usage monitoring Splunk Virtual Compute (SVC) usage

Active Searchable and Active Archive storage usage

Cloud Monitoring Console
Users and Authentication Manage user and roles

Configure central authentication

Manage authentication tokens

Splunk Web


Admin Config Service

Service level agreement

Splunk provides an uptime SLA for Splunk Cloud Platform and will use commercially reasonable efforts to make the Services available. You will receive service credits in the event of SLA failures, as set forth in our current SLA schedule. As Splunk Cloud Platform is offered uniformly across all customers, the SLA cannot be modified on a customer by customer basis.

Splunk Cloud Platform is considered available if you are able to log into your Splunk Cloud Platform Service account and initiate a search using Splunk Software. Splunk continuously monitors the status of each Splunk Cloud Platform environment to help ensure the SLA. In addition, Splunk Cloud Platform monitors several additional health and performance variables, including but not limited to the following:

  • Ability to log into Splunk Cloud Platform (non-SAML)
  • Ability to access Splunk Web
  • Ability to access a Splunk REST API endpoint
  • Ability to perform searches against an internal Splunk index
  • Ability to ingest data cluster wide
  • Presence of unsupported configurations

Splunk adds predefined system users and system roles to all Splunk Cloud Platform environments. Splunk leverages system users or roles to perform essential monitoring and maintenance activities in Splunk Cloud Platform environments. Customers are advised to not delete or edit system users or roles because they are essential to perform monitoring and maintenance activities in Splunk Cloud Platform environments.

See also

For more information about See
Scripted and modular inputs Experience designations
Splunk Cloud Platform system users Manage Splunk Cloud Platform users and roles in the Splunk Cloud Platform Admin Manual
SLA for Splunk Cloud Platform Splunk Cloud Service - Service Level Schedule

Service limits and constraints

The following are Splunk Cloud Platform service limits and constraints. These service limits may vary based on your Splunk Cloud Platform subscription. You can use this list as guidance to ensure the best Splunk Cloud Platform experience. Keep in mind that some limits depend on a combination of configuration, system load, performance, and available resources. Unless noted, the service limit is identical for both Experience designations. Contact Splunk if your requirements are different or exceed what is recommended in this table.

Platform service limits (hard limits)

You can use this list as guidance to ensure the best Splunk Cloud Platform experience. You are unable to exceed these hard service limits.

Category Service component Limitation Additional information
Email notifications Maximum number of email recipients 50 This is a hard limit of the Splunk Cloud Platform email relay service. Use an email distribution list to increase the number of email recipients.
Email notifications Maximum email attachment size 40 MB This is a hard limit of the Splunk Cloud Platform email relay service.
IT Service Intelligence Event Analytics / Correlation Searches 100 You can configure up to 100 Correlation Searches.
IT Service Intelligence Event Analytics / Notable Event Aggregation Policies 100 You can configure up to 100 Notable Event Aggregation Policies with 50/50 division between time-based and non-time-based NEAPs.
IT Service Intelligence Service Insights / Service Templates 1000 Services per Service Template (having 5 KPIs and 40 Entities) You can configure up to 1000 Services per Service Template if the Service Template is configured with the 5 KPIs and 40 Entities.
600 Services per Service Template (having 10 KPIs and 75 Entities) You can configure up to 600 Services per Service Template if the Service Template is configured with the 10 KPIs and 75 Entities.
300 Services per Service Template (having 10 KPIs and 150 Entities) You can configure up to 300 Services per Service Template if the Service Template is configured with the 10 KPIs and 150 Entities.
Other Splunk Cloud Platform ID For AWS regions, a minimum of 2 characters and a maximum of 22 characters. Any lowercase letter from the alphabet, any number from 0 to 9, and the hyphen character are allowed. All other ASCII characters are not allowed.

For Google Cloud regions, a minimum of 4 characters and a maximum of 22 characters. The ID must start with a letter. Any lowercase letter from the alphabet, any number from 0 to 9, and the hyphen character are allowed. All other ASCII characters are not allowed.

Unique Splunk Cloud Platform name chosen by you that determines your URL at [Splunk Cloud Platform ID].splunkcloud.com or [Splunk Cloud Platform ID].splunkcloudgc.com.

Splunk has discretion to decline a submitted Splunk Cloud Platform ID and can request that an alternative be selected.

Search CSV lookup 5 GB Larger CSV lookups will not replicate across a Search Head Cluster and will be quarantined on the Search Head it was generated. We recommend using KV store for lookups larger than 1 GB.
Search Knowledge Bundle replication size 3 GB This is the hard limit of the maximum Knowledge Bundle replication size. If the Knowledge Bundle exceeds this service limit, the search tier will not push the bundle to the indexer tier. Searches on the indexer tier will instead use the previously pushed bundle, which will be within the size limit.
Search Search concurrency per Premium Solution listed below:
  • Splunk App for Microsoft Exchange
  • Splunk App for VMware
38 When you add these Premium Apps subscriptions to Splunk Cloud Platform, additional search processes are available for each Premium App. These search processes are exclusive to the Premium Solution subscription.
Security IP allow list address rules per allow list group in Splunk Cloud Platform deployment in AWS regions 230 This is the hard limit per IP allow list group. For example, the service limit for collecting data is separate from sending search queries. Customers specify the IP address or IP address range that is permitted to access Splunk Cloud Platform and those from which Splunk Cloud Platform can collect data (forwarders and HEC) and send search queries. These are generically referred to as IP allow list rules. These rules can be configured to use CIDR blocks to maximize the IP allow list coverage. For more information, see IP allow list behavior and IP subnet limits.
Security IP allow list address rules per feature allow list in Splunk Cloud Platform deployment in Google Cloud regions 200 This is the hard limit per IP feature allow list. For example, the IP allow list service limit for collecting data is separate from sending search queries. Customers specify the IP address or IP address range that is permitted to access Splunk Cloud Platform and those from which Splunk Cloud Platform can collect data (forwarders and HEC) and send search queries. These are generically referred to as IP allow list rules. These rules can be configured to use CIDR blocks to maximize the IP allow list coverage. For more information, see IP allow list behavior and IP subnet limits.

Tested and recommended service limits (soft limits)

You can use this list as guidance to ensure the best Splunk Cloud Platform experience. If you exceed these soft service limits and have a degraded experience, Splunk may recommend you reduce to below the tested or recommended limit as part of service remediation.

Category Service component Limitation Additional information
Apps Splunkbase and private apps 250 This is the maximum tested limit for the self-service Splunkbase and private app management. If you exceed this soft service limit, you may experience issues with performing self-service app management.
Data Ingress Active indexes 1000 for Victoria Experience

700 for Classic Experience

This is the maximum tested limit for the number of active indexes per Splunk Cloud Platform environment. If you exceed this soft service limit, you may experience issues.
Data Collection HEC maximum content length size limit 1 MB There is a recommended limit to the HEC payload size in Splunk Cloud Platform to ensure data balance and ingestion fidelity. A HEC request can have one or more Splunk events batched into it but the payload size should be no larger than this limit. If you exceed this limit, you may experience performance issues related to data balance and ingestion fidelity.
Data Egress Dynamic Data Self-Storage export of aged data per index from Splunk Cloud Platform to Amazon S3 or Google Cloud Storage No limit to the amount of data that can be exported from your indexes to your Amazon S3 or Google Cloud Storage account in the same region. Dynamic Data Self-Storage is designed to export 1 TB of data per hour.
Data Egress Search results via UI or REST API Recommend no more than 10% of ingested data For optimal performance, no single query, or all queries in aggregate over the day from the UI or REST API, should return full results of more than 10% of ingested daily volume. To route data to multiple locations, consider solutions like Ingest Actions, Ingest Processor, or the Edge Processor solution.
Data Egress Search results to Splunk User Behavior Analytics (UBA) No limit Data as a result of search queries to feed into Splunk User Behavior Analytics (UBA).
Edge Processor solution Total traffic through an Edge Processor network 100TB/day This is the maximum total amount of traffic running through all deployed instances of Edge Processors for each Splunk Cloud Platform environment.
Edge Processor solution Number of Edge Processors instances 50 instances This is the maximum total number of Edge Processor instances. As a reminder, an Edge Processor can be made up of 1 or multiple Edge Processor instances.
Edge Processor solution Number of applied pipelines per Edge Processor 100 pipelines This is the maximum total number of applied pipelines per Edge Processor. Pipelines with longer SPL2 configurations may reduce this maximum limit.
Enterprise Security Correlation Searches 400 for Victoria experience

600 for Classic experience

This was the limit tested for Enterprise Security on Splunk Cloud Platform. Note that there are different service limits for the Victoria and Classic experiences. A correlation search is a type of scheduled search. Correlation searches are a part of Enterprise Security, and are used to generate notable events or execute other adaptive response actions. If your use case exceeds the tested limit and is deemed to be causing performance issues, the remediation is to change the configured limit to no more than the tested limit. See Correlation search overview for Splunk Enterprise Security.
Enterprise Security Data Models accelerated 20 for Victoria experience

75 for Classic experience

This was the limit tested for Enterprise Security on Splunk Cloud Platform. Note that there are different service limits for the Victoria and Classic experiences. Data models and data model acceleration are critical components of Enterprise Security. To provide the best experience possible for customers, we suggest a maximum of 9 accelerated models. The most common data models deployed are: Change, Endpoint, Authentication, Intrusion Detection, Network Sessions, Network Resolution, Network Traffic, Web, and Performance. If your use case exceeds the tested limit and is deemed to be causing performance issues, the remediation is to change the configured limit to no more than the tested limit. See Configure data models for Splunk Enterprise Security.
Enterprise Security Maximum ES search concurrency per Splunk Cloud Platform environment 150 for Victoria experience

78 for Classic experience

When you add an Enterprise Security subscription to Splunk Cloud Platform, additional search processes are available for it that are in addition to the search concurrency included in the Splunk Cloud Platform subscription. This is the standard limit to the number of searches that Enterprise Security can concurrently admit as tracked in metrics.log. If you require ES search concurrency beyond the standard limit, you may be able to do so through optimizing your existing search workload or by contacting your Splunk sales representative to increase your SVC entitlement.
Enterprise Security Total ES daily searches 500,000 searches/day for entitlement of more than 166 SVC or 1 TB for Victoria Experience This is the maximum tested limit of Enterprise Security specific searches that can be executed successfully in a well-tuned system.

If you exceed this soft service limit, you may experience issues with scheduled search completion. Note that other factors such as search concurrency limit or the nature of searches may additionally limit the number of successful searches that run.

Ingest Processor Maximum number of pipelines per tenant 50 pipelines Maximum number of pipelines per tenant for Ingest Processor
IT Service Intelligence Event analytics / Alert Ingestion 100,000 alerts per minute You can ingest up to 100,000 alerts per minute into Event Analytics with your Correlation Searches.

If the NEAP's action rules are configured with up to 1500 comment actions per minute and 1000 state change actions per minute having 50,000 active episodes.
Note: Limit only works without the external episode actions rules of the NEAP.

IT Service Intelligence Total Search Concurrency 150 When you add an IT Service Intelligence subscription to Splunk Cloud Platform, additional search processes are available for it. This starting point scales up at higher ingestion rates and also for workload-based subscriptions.
KV Store Maximum collection size 25 GB This is the maximum size of a single collection that is tested with KV Store per Splunk Cloud Platform environment.
KV Store Total maximum size 100 GB This is the total maximum recommended size of KV Store across all collections per Splunk Cloud Platform environment.
Search Federated search for Amazon S3 100,000 events This is the maximum configurable implicit default limit for federated search for Amazon S3. You can change this limit by reaching out to Splunk Support.
Search Federated search for Amazon S3 10 TB by default This is the maximum configurable overall data volume limit for federated search for Amazon S3. You cannot use a LIMIT clause to create searches that exceed that volume limit. You can change this limit by reaching out to Splunk Support..
Search Federated search for Splunk 25 This is the maximum tested limit for the number of Splunk Cloud Platform and Splunk Enterprise remote deployments used with federated search for Splunk. If you exceed this soft service limit, you may experience issues with performing federated search for Splunk.
Search join command for subsearch 50,000 The join command combines the results of a subsearch with the results of a main search. This limit is the maximum number of result rows in the output of a subsearch that can be joined against a main search. For more information, see the join command in the Splunk Cloud Platform Search Reference.
Search Knowledge Bundle replication size 3 GB This is the hard limit of the maximum Knowledge Bundle replication size. If the Knowledge Bundle exceeds this service limit, the search tier will not push the bundle to the indexer tier. Searches on the indexer tier will instead use the previously pushed bundle, which will be within the size limit.
Search Maximum search concurrency per Splunk Cloud Platform environment. 400 for entitlement of more than 900 SVC or 7 TB This is the standard limit to the number of ad hoc and scheduled searches that Splunk Cloud Platform environment can concurrently admit as tracked in metrics.log. Search concurrency limits apply to searches initiated either from the Cloud search tier or from on-premises hybrid and federated search heads.

If you require search concurrency beyond the standard limit, you may be able to do so through optimizing your existing search workload or by contacting your Splunk sales representative to increase your SVC entitlement. For more information on setting percentages of concurrency for scheduled and summarization searches, see Configure Search Settings in Splunk Cloud Platform.

Search Scheduled search 700,000 searches/day for entitlement of less than 166 SVC or 1 TB

1.5 M searches/day entitlement of more than 166 SVC or 1 TB

This is the maximum tested limit of scheduled searches that can be scheduled successfully. Note the subscription tiers and applicable service limit.

If you exceed this soft service limit, you may experience issues with scheduled search completion. Note that other factors such as search concurrency limit or the nature of searches may additionally limit the number of successful scheduled searches that run.

Storage DDAA restorations 25 TB Dynamic Data Active Archive restorations were not designed to exceed 25 TB. If more data than 25 TB is needed, split your desired time frame into multiple smaller restores less than the recommended size limit.
Storage DDAA restorations 10% of DDAS Dynamic Data Active Archive enables restoring data up to 10% of your Active Searchable storage. If you no longer need already restored data, you can clear it before it expires to reclaim space to perform additional restores.

If you still require more data than 10% of your DDAS, please reach out to your account team to discuss options.

Workload Management Workload Rules 100 You can configure up to 100 Workload Rules.

Splunk premium solutions

You can optionally purchase Splunk apps and premium solutions subscriptions on Splunk Cloud Platform. As part of the subscription, the Splunk Cloud Platform environment is enhanced to support the premium solution. Splunk will install the premium solution on your behalf and will also upgrade the premium solution when you request a new, vetted premium solution version. Multiple premium solution subscriptions can run concurrently on the same Splunk Cloud Platform environment. Any customization of the premium solution can be done by you or through a Splunk Professional Services engagement. Splunk support will not be able to assist in tailoring the premium solution to your use case. The following premium solution subscriptions are available for Splunk Cloud Platform:

  • Splunk Enterprise Security (ES)
  • Splunk IT Service Intelligence (ITSI)
  • Splunk App for PCI Compliance

The following premium solutions are compatible with Splunk Cloud Platform and are considered separate subscriptions. Splunk support will not be able to assist with installation and configuration of the following premium solutions as part of your Splunk Cloud Platform subscription:

Security

Behavioral analytics is a Cloud only service. For information on the eligibility requirements for behavioral analytics service with Splunk Enterprise Security, see What do I need to run behavioral analytics service in the Use Splunk Enterprise Security manual.

Observability

  • Splunk Observability Cloud: See Splunk Observability Cloud service description for more information regarding infrastructure monitoring (Splunk IM), application performance monitoring (Splunk APM), real user monitoring (Splunk RUM), and synthetic monitoring (Splunk Synthetic Monitoring). Review Splunk Cloud Platform's available regions and Splunk Observability Cloud available regions or realms when considering Log Observer Connect, which enables direct integration with logs ingested in Splunk Cloud Platform and Splunk Enterprise to Splunk Observability Cloud..
  • Splunk On-Call: See the Splunk On-Call resources.

Machine Learning Tool Kit (MLTK) is compatible with Splunk Cloud Platform and supports a variety of use cases. Depending on the use case and algorithm used, the MLTK app can be compute intensive. Splunk recommends that you consult with your Splunk technical resource and MLTK documentation prior to installing the MLTK App on Splunk Cloud Platform. In addition, Splunk recommends adding the ML-SPL Performance App for the Machine Learning Toolkit to ensure you know the resource utilization impact of MLTK. These steps ensure the MLTK best practices are implemented on Splunk Cloud Platform.

For more information on these Splunk premium solutions, contact your Splunk sales representative.

Splunkbase and private apps

Apps and add-ons include features and functionality ranging from the simplification of data ingest to unique and valuable visualizations. To ensure security and minimize effects on performance, only vetted and compatible apps can run on Splunk Cloud Platform. Note the following:

  • Splunkbase is the system of record for app vetting and compatibility with Splunk Cloud Platform. Any app that is listed as compatible with Splunk Cloud Platform can be installed, inclusive of FedRAMP Moderate, FedRAMP High, and DoD IL5.
  • For FedRAMP Moderate, FedRAMP High, and DoD IL5, Splunk's scope of responsibility for apps and add-ons pertains only to apps that meet all the following criteria:
    • Splunk Authored
    • Splunk Supported
    • Splunk Cloud Platform Compatible
  • Splunk provides support and maintenance for Splunk Supported Apps. In addition, Splunk Cloud Platform ensures compatibility for any installed Splunk Supported Apps before commencing Splunk Cloud Platform upgrades.
  • Splunk does not provide support or maintenance for apps published by any third-party developers. For any Developer Supported or Not Supported Apps, you need to ensure compatibility with Splunk Cloud Platform.
  • Compatibility of Developer Supported or Not Supported Apps is asserted by the developers of those apps. Splunk does not perform compatibility testing of third-party apps with specific versions of Splunk Cloud Platform.
  • Splunk support will not be able to assist in tailoring the Splunkbase apps to your use case. For apps that grant you the license to customize, you will need to perform the customization yourself or through a Splunk Professional Services engagement.

For more information, see the following:

Apps that are Splunk Cloud Platform vetted and compatible are listed in either the app browser in Splunk Web or through Splunkbase. For more information about self-service app installation, see Experience designations.

Splunk Secure Gateway is included in Splunk Cloud Platform, except for FedRAMP Moderate, FedRAMP High, and DoD IL5. Splunk Secure Gateway lets you configure your Connected Experiences mobile app deployment and register devices to Splunk Cloud Platform environments. For more information, see the Splunk Secure Gateway documentation.

Apps you create to support your business needs are called private apps and these apps can also be self-service installed on Splunk Cloud Platform. During the private app installation, Splunk will automatically validate your app for Splunk Cloud Platform. Issues identified by automated validation must be remediated. You can install private apps without the need for manual validation and you must acknowledge the Splunk General Terms regarding potential impact of unremedied issues to your Splunk Cloud Platform environment. Private apps that are developed wholly by you are owned by you and any customization of your private app is outside the scope of the Splunk Cloud Platform subscription.

For more information about apps, see the following topics in the Splunk Cloud Platform Admin Manual:

Storage

This section describes the data retention policy and the types of storage available to you.

Data retention

When you send data to Splunk Cloud Platform, it is stored in indexes and you can self-manage your Splunk Cloud Platform indexes settings using the Indexes page in Splunk Web. Splunk Cloud Platform retains data based on index settings that enable you to specify when data is to be deleted. To configure different data retention settings for different sources of data, store the data in separate indexes according to the desired retention policy. You can configure different data retention policies for individual indexes according to your auditing and compliance requirements.

Each index lets you specify the maximum age of events in the Index (specified in the Retention (days) field on the Indexes page) that the service uses to determine when to delete data. When the index reaches the specified maximum size or events reach the specified maximum age, the oldest data is deleted. When data is deleted from the index, it is no longer searchable by Splunk Cloud Platform.

The following are the types of storage available in a Splunk Cloud Platform subscription:

  • Dynamic Data Active Searchable (DDAS) is used for searching ingested data. DDAS is also commonly known as searchable storage. You can optionally purchase additional DDAS in 500 GB increments.
  • Dynamic Data Active Archive (DDAA) is used as a long term storage and data in DDAA can be restored to DDAS to be searched. You can optionally purchase additional DDAA in 500 GB increments.

For both DDAS and DDAA, you can choose to have your data encrypted at rest using AES 256-bit encryption for an additional charge. If you choose encryption at rest, Splunk manages the encryption keys on your behalf by default. If available in your region, you have the option to manage the encryption keys instead.

You can review your storage consumption in the Cloud Monitoring Console app included in your Splunk Cloud Platform environment. The app provides information such as the amount of data stored and the number of days of retention for each index.

For more information about the data that Splunk retains and maintains on your behalf, see the Ensures Splunk Cloud Platform uptime and security section in Splunk maintenance responsibilities.

Dynamic Data Active Searchable (DDAS)

DDAS in your Splunk Cloud Platform environment should be sized based on the volume of uncompressed data that you want to index on a daily basis. For workload-based subscriptions, you purchase DDAS based on your data retention requirements that provide you the flexibility to tailor the variability in your use case. For example, if your forecasted daily volume of uncompressed data is 1 TB and your searchable retention need is 365 days, your Splunk Cloud Platform environment should be sized to have 365 TB of DDAS. Refer to the Splunk General Terms for Splunk's policy for Overages. Ingest-based subscriptions include sufficient DDAS to allow you to store up to 90 days of your uncompressed data. For example, if your daily volume of uncompressed data is 100 GB, your Splunk Cloud Platform environment will have 9000 GB (9 TB) of DDAS. Note the following:

  • If you ingested far more data than your initial estimate and thus exceeded your entitled DDAS capacity, the Splunk Cloud Platform service elastically expands the amount of DDAS to retain your data per your retention settings.
  • While DDAS is elastically expanded to ensure your data does not prematurely age out, consistently over ingesting beyond estimated may impact search performance.

Dynamic Data Active Archive (DDAA)

If you require a lower cost option for long term storage of data, you can optionally augment Splunk Cloud Platform with DDAA. As data ages from DDAS based on your index retention setting, the aged data is automatically moved to DDAA before deletion. Data remains in DDAA until the DDAA retention setting that you specify expires.

Your DDAA subscription enables you to perform restores, subject to the amount of DDAS you have purchased as part of your Splunk Cloud Platform subscription. An additional 10% of DDAS is included with your DDAA subscription to assist with restores. The 10% is calculated based on the total DDAS amount in your subscription. For example, a workload-based subscription that has a 10 TB DDAS entitlement will have an additional 1 TB of DDAS added with a DDAA subscription, effectively increasing the DDAS entitlement to 11 TB. Note that this additional 1 TB should be considered as reserved for DDAA restores, as any restore volumes that result in surpassing the DDAS entitlement may incur a true-up cost.

Note the following:

  • Restored DDAA data is typically ready to search within 24 hours after a restoration request and remains searchable for up to 30 days.
  • Large amounts of DDAA data restore can take beyond 24 hours to complete.
  • Multiple restores that overlap within a 30-day period will accrue against the additional 10% of searchable storage included with your DDAA subscription.
  • Refer to the Splunk General Terms for Splunk's policy for Overages.

Dynamic Data Self-Storage (DDSS)

You can also export your aged data from Splunk Cloud Platform. If you enable Dynamic Data Self-Storage (DDSS) to export your aged ingested data, the oldest data is moved to your Amazon S3 or Google Cloud Storage account in the same region as your Splunk Cloud Platform deployment before it is deleted from the index.

Note the following:

  • You are responsible for payments for your use of Amazon S3 or Google Cloud Storage.
  • Aged data is exported unencrypted to your Amazon S3 or Google Cloud Storage account.
  • DDSS data stored in S3 cannot be searched by Federated Search for Amazon S3 at this moment.

See also

For more information about See
Exporting your aged ingested data Store expired Splunk Cloud Platform data to your private archive
Archiving your aged ingested data Store expired Splunk Cloud Platform data to a Splunk-managed archive
Managing indexes Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual
Cloud Monitoring Console Monitor your Splunk Cloud Platform Deployment in the Splunk Cloud Platform Admin Manual
Availability of service components between the AWS and Google Cloud regions Region differences

Subscription types

Your subscription to the Splunk Cloud Platform service is workload-based. By exception, you may be on an ingest-based subscription. Both subscription types include either Standard Success Plan or Premium Success Plan. For more information, refer to the Splunk Success Plan.

Workload-based subscription

This subscription is based on the resource capacity consumed rather than the data volume ingested. Your subscription entitles you to the purchased workload resources and this subscription does not meter ingestion. You can increase ingest and/or search load and operate the service to your desired performance objective. As necessary, you can purchase additional resource capacity to increase ingest and search load or to improve performance. You purchase units of storage blocks based on your data retention requirements for your workload-based subscription. If you ingested far more data than your initial estimate and thus exceeded your purchased storage capacity, the Splunk Cloud Platform service elastically expands the amount of storage to retain your data per your retention settings. Refer to the Splunk General Terms for Splunk's policy for Overages. The Cloud Monitoring Console and Splunk Web provide you with the total amount of data retained at any given time.

Ingest-based subscription

By exception, you may be on an ingest-based subscription. An ingest-based subscription for Splunk Cloud Platform is based on the volume of uncompressed data that you want to index on a daily basis. The subscription pricing also includes a fixed amount of data storage. If you ingest more data than your entitlement and thus exceed your storage entitlement, the Splunk Cloud Platform service elastically expands the amount of storage to retain your data per your retention settings. Refer to the Splunk General Terms for Splunk's policy for Overages. The Cloud Monitoring Console and Splunk Web provide you with the total amount of data retained at any given time.

Data policies

Splunk Cloud Platform administers your data according to the following policies:

  • Your workload-based subscription entitles you to the purchased workload resources and this subscription does not meter ingestion.
  • Your Splunk Cloud Platform ingest-based subscription governs how much data you can load into your Splunk Cloud Platform deployment per day (GMT). You can exceed your ingest-based subscription daily index volume a maximum of five times in a calendar month. If you exceed your daily limit more than five times in a calendar month, your Splunk sales representative may work with you to help you reduce your usage to stay within the purchased limit or to purchase the necessary increase. If you are unable or unwilling to abide by the applicable usage limit, you will pay any invoice for excess usage in accordance with your Terms of Service. If you consistently exceed your ingest-based subscription limit, contact Splunk Sales to do a benchmark assessment to determine your volume needs and purchase an appropriate plan to handle your volume.

To see current and past daily data ingestion information in Splunk Web, use the Cloud Monitoring Console app. For more information, see Locate the Cloud Monitoring Console and Use the License Usage dashboards. Splunk recommends you set up alerts in the system to monitor your license usage.

Subscription expansions, renewals, and terminations

You can expand aspects of your Splunk Cloud Platform subscription anytime during the term of the subscription to meet your business needs. You can optionally add subscriptions to do the following:

  • Increase your workload-based or ingest-based subscription level.
  • Add additional storage capacity in 500 GB increments to store more data.
  • Add encryption services to Splunk-hosted environments to help maintain the privacy of data at rest.
  • Add a HIPAA or PCI DSS cloud environment to assist you with meeting your compliance needs.
  • Add new use cases for Splunk Cloud Platform with Splunk premium solutions such as Enterprise Security (ES) and IT Service Intelligence (ITSI). With workload-based subscriptions, the unit of measurement is in SVC for both entitlements. With ingest-based subscriptions, the unit of measurement is in GB for both entitlements.

You will receive renewal notifications starting 60 days prior to the end date of your current subscription term. For more information on subscription renewals, contact your Splunk sales representative. If your Splunk Cloud Platform subscription expires and no temporary extension is submitted on your behalf by your Splunk sales representative, it is considered terminated. The policy for terminated Splunk Cloud Platform subscriptions are the following:

  • Your ability to perform searches stops immediately.
  • Your ability to ingest data stops 7 days following termination.
  • Your data is deleted 60 days following termination.

If you require your ingested data to be moved into your control before the termination of your subscription, this is accomplished through a Splunk Professional Services engagement. Some data can be moved into your control by enabling Dynamic Data Self-Storage to export your aged data to your Amazon S3 or Google Cloud Storage account in the same region. Note that Dynamic Data Self-Storage does not export your configuration data. If you choose to use Dynamic Data Self-Storage to export your aged ingested data, you must do so prior to termination of your subscription. You are responsible for AWS or Google Cloud Storage charges you incur for your use of Amazon S3 or Google Cloud Storage.

Supported versions

This section lists the supported versions for Premium Apps, forwarders, hybrid search configurations, and Python interpreters that integrate with the Splunk Cloud Platform.

Current Splunk Cloud Platform and Premium App versions

Splunk determines which versions of Splunk Cloud Platform and Premium Apps to make available to Splunk Cloud Platform subscribers. Splunk adopts the release that has the most benefits for customers as quickly as possible. The table lists the current versions for Splunk Cloud Platform and Premium App subscriptions.

Subscription Version
Splunk Cloud Platform 9.2
Splunk Enterprise Security 7.3
Splunk IT Service Intelligence 4.19
Splunk App for PCI Compliance 5.3

Splunk Cloud Platform versions have the following release numbering format that is unique and not available for Splunk Enterprise: [Major Release].[Minor Release]. [Release Date]
The [Release Date] is in the format of YYMM. For example, the 2308 of Splunk Cloud Platform 9.1.2308 denotes a release date of August 2023.

Supported forwarder versions

The following are the supported forwarder versions for Splunk Cloud Platform. This information is applicable to universal and heavy forwarders that are communicating directly to Splunk Cloud Platform. If you have deployed an intermediate forwarder tier communicating directly to Splunk Cloud Platform, the following information applies to the forwarders in the intermediate tier instead of the forwarders indirectly connected. If you are unable to upgrade forwarders that communicate directly to Splunk Cloud Platform, you accept the risk of continuing to use forwarder versions that have reached their end of support date.

Forwarder version Supported Splunk Cloud Platform versions Heavy forwarder full support until Universal forwarder full support until Universal forwarder P3 support until
9.3.x 9.0.x, 9.1.x, 9.2.x July 24, 2026 July 24, 2026 July 24, 2029*
9.2.x 8.2.x, 9.0.x, 9.1.x January 31, 2026 January 31, 2026 January 31, 2029*
9.1.x 8.2.x, 9.0.x, 9.1.x June 28, 2025 June 28, 2025 June 28, 2028*
9.0.x 8.2.x, 9.0.x, 9.1.x June 14, 2024 June 14, 2024 June 14, 2027*
8.2.x 8.0.x, 8.1.x., 8.2.x, 9.0.x May 12, 2023 September 30, 2023 May 12, 2026*
8.1.x 8.0.x, 8.1.x., 8.2.x, 9.0.x April 19, 2023 April 19, 2023 October 22, 2025*
8.0.x 8.0.x, 8.1.x., 8.2.x, 9.0.x October 22, 2021 October 22, 2021 October 22, 2024*

* Each minor version of Splunk Universal Forwarder is Supported from release for a total of 60 months. During the first 24 months from release of each version, the targeted Support response times will be determined by issue severity and priority. For the subsequent 36 months, the targeted Support response times will be limited to the P3 level.

Supported hybrid search versions

This feature will no longer be supported after October 31st, 2024. Ensure that you migrate to Federated Search before this date to avoid interruptions. For instructions on how to migrate, see Migrate from hybrid search to Federated Search for Splunk in the Federated Search manual.

The table lists the supported on-premises Splunk Enterprise versions for Splunk Cloud Platform hybrid search configurations. This information is applicable to on-premises search heads that are communicating directly to Splunk Cloud Platform environments, also referred to as hybrid search heads. In order to be eligible for support, your on-premises search heads must be on the same major version (e.g. 9.0.x) as your Splunk Cloud Platform environment. If you are unable to upgrade the hybrid search heads that communicate directly to Splunk Cloud Platform to the supported versions, you accept the risk of continuing to use search heads that have reached their end of support date.

Splunk Cloud Platform version Splunk Enterprise versions
9.2.2406 9.1.x, 9.2.x
9.2.2403 9.1.x, 9.2.x
9.1.2312 9.1.x, 9.2.x
9.1.2308 9.1.x, 9.2.x

Supported Python versions

The table lists the supported Python interpreters for Splunk Cloud Platform. For more information on Python 2.x deprecation and support on Splunk Cloud Platform, see Python 3 migration with the Splunk platform.

Splunk Cloud Platform version Supported Python interpreters
9.2.x 3.9
9.0.x, 9.1.x, 9.2.x 3.7

Technical support

Both workload-based and ingest-based Splunk Cloud Platform subscriptions include either Standard Success Plan or Premium Success Plan. For more information regarding Splunk Cloud Platform support terms and program options, see https://www.splunk.com/en_us/support-and-services/support-programs.html. You should also note the following:

  • Splunk Cloud Platform offers multiple options to ingest your data so it is your responsibility to ensure the correct data collection method is configured for your data sources.
  • Splunk Cloud Platform enables you to perform user, index and app management via Splunk Web. Any customization of Splunk Cloud Platform vetted and compatible apps is also your responsibility.
  • To use multifactor authentication for your Splunk Cloud Platform user accounts, you must use a SAML v2 identity provider that supports multifactor authentication. It is your responsibility to ensure your Splunk Cloud Platform user accounts are properly configured for multifactor authentication.
  • You can choose to leverage the optional Admin on Demand Services to quickly request technical adoption assistance from remote Splunk technical consultant. The Splunk technical consultants can assist you with tasks, such as index creation, building lookups and dashboards, assist with data on-boarding plus install Splunk Cloud Platform vetted and compatible apps.
  • There are features in Splunk Cloud Platform that require assistance from Splunk to activate or change your configuration, such as enabling AWS Kinesis Data Firehose data to be received. When you file a support ticket, Splunk will enable such features on your behalf.

See also

For more information about See
Admin on Demand Services Admin On Demand data sheet and catalog
Data collection Getting Data In
Performing user, index, and app management Splunk Cloud Platform Admin Manual

Users and authentication

Splunk Cloud Platform enables you to configure account policies that require unique usernames, minimum password length, and regular password resets. You are responsible for creating and administering your users' accounts, the roles assigned to them, the authentication method they use, and global password policies. To control what your Splunk Cloud Platform users can do, you assign them roles that have a defined set of specific capabilities, access to indexes, and resource use limits.

Roles give Splunk Cloud Platform users access to features in the service, and permission to perform tasks and searches. Each user account is assigned one or more roles. Splunk uses the Admin role and system user roles to perform essential monitoring and maintenance activities. You may observe the Admin and system user roles authenticating against your Splunk Cloud Platform environment as part of Splunk performing monitoring and maintenance activities. These activities are performed in accordance with a comprehensive security program designed to protect your data's confidentiality, integrity, and availability in accordance with the highest industry standards. Splunk Cloud Platform has been certified by independent third-party auditors to meet SOC2 Type II and ISO 27001 security standards Compliance and certifications. You should not delete or modify these system users or roles.

Splunk Cloud Platform provides the sc_admin role, which has the capabilities required to administer Splunk Cloud Platform. You can use the Splunk Cloud Platform sc_admin role for your administrator to perform self-service tasks such as installing apps, creating and managing indexes, and managing users and their passwords. Splunk Cloud Platform does not support direct access to infrastructure, so you do not have command-line access to Splunk Cloud Platform. This means that any supported task that requires command-line access is performed by Splunk on your behalf.

You can configure your user accounts to be authenticated using Identity Providers (IdP) such as Lightweight Directory Access Protocol (LDAP) and Active Directory (AD). You can also configure Splunk Cloud Platform to use SAML authentication for single sign-on (SSO). To use multifactor authentication for your Splunk Cloud Platform user accounts, you must use a SAML v2 identity provider that supports multifactor authentication. Depending on the Splunk Cloud Platform version and your identity provider (IdP), token based authentication is supported. While Splunk Enterprise has built-in support for multifactor authentication such as Duo and RSA, Splunk Cloud Platform does not support these methods of integration.

Only SHA-256 signatures in the SAML message between your IdP and Splunk Cloud Platform are supported. You are responsible for the SAML configuration of your IdP including the use of SHA-256 signatures.

See also

For more information about See
Users and roles Create and manage users with Splunk Web in the Securing Splunk Cloud Platform manual.
Single Sign On Configure Splunk Cloud Platform to use SAML for authentication tokens in the Securing Splunk Cloud Platform manual.

Configure single sign-on with SAML in the Securing Splunk Cloud Platform manual.

Token based authentication Set up authentication with tokens in the Securing Splunk Cloud Platform manual.
Last modified on 18 September, 2024
  Splunk Cloud Service Description Change Log

This documentation applies to the following versions of Splunk Cloud Platform: 9.2.2403 (latest FedRAMP release), 9.2.2406


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters